CMMC Compliance Checklist

3 Min Read
CMMC Compliance Checklist

The U.S. Congress has recently set new requirements (CMMC) for companies with the Department of Defense (DOD). The company must now report any security breach in their networks to the Department of Homeland Security and be CMMC compliant.

That is an interesting move, as we have all heard of the breaches in many big business networks, which result in the theft of the personal information of millions of users. The policy change is because it is much easier to get to the source of the breach as opposed to the compromised information itself.

The DOD has recently had a spate of network security breaches that have compromised the information of individuals but not the data itself.

The recent case of the Department of Justice (DOJ) and the FBI also highlights that the FBI has access to any information stored in the cloud. This is one more reason why it is critical for companies to keep an eye on the security of their networks.

Ready to dive in?
Start Your Free Trial Today

What is the CMMC compliance?

CMMC (Cybersecurity Maturity Model Certification) was first published in 2020; CMMC will slowly be implemented over the coming five years. CMMC will be a core part of all future bidding processes for DoD contracts.

CMMC Compliance Checklist

Access Control

Create user rules of access to all internal networks and systems with a detailed up to date list of users and their privileges within the system.

Asset Management

Know what hardware, software, other technologies have access to the system. Create and document processes from daily backups to disposal of old equipment and destruction of stored data

Audit and Accountability

Track, log and timestamp user access, actions and information contact to CUI assets.

Training and Awareness

Cybersecurity training must be included in all levels of training incorporating how the employee interacts with the CUI data within their role.

Configuration Management

Map all devices and systems which uses and process CUI data.

Identification and Authentication

Unique identification of all users, devices, and every process.

Strong user identification process with a minimum complexity of passwords.

Incident Response

Plan of action for incidents, to detect and contain threats to data


Everything needs maintenance. Create a schedule for systems, hardware, and devices maintenance.

Document system updates and patches to software, hardware, and firmware.

Media Protection

Track all media containing sensitive data and manage the destruction.

Personnel Security

Carry out comprehensive background checks during hiring process.

Physical Protection

Restricted access to the building and all servers. Maintain a detailed list of employees with their access areas.


System backup schedules and test environments.

Risk Management

Risk management plan. Scan systems and networks for vulnerabilities and risks.

Security Assessment

Security audit to identify new vulnerabilities and emerging threats.

Situational Awareness

Establish processes to identify new risks and threats to the system.

Track external cybersecurity threats

System and Communications Protection

Define network boundaries, especially with the use of cloud-based systems.

Monitor end-point security.

Information and System Integrity

Up-to-date and patched components and software. Schedule regular updates.

CMMC Levels Certification

There are a number of different levels of compliance. Identify data you will need to use within the contract as it can require different types of compliance.

The National Institute of Standards and Technology (NIST) established NIST 800-172 & NIST 800-171 enhanced security requirements for protecting data government data and incorporated them as part of the certificate.

FCI Federal Contract Information – Data not ever intended for general or public release. You will require CMMC 5 levels certification.

CUI Controlled Unclassified Information – Data is sensitive but not classified. You will require CMMC 3 Levels certification.

  • CMMC Level 1 – Store federal contact data
  • CMMC Level 2 – Basic level security required to store and process CUI
  • CMMC Level 3 – Controlled Unclassified Information (CUI)
  • CMMC Level 4 –
  • CMMC Level 5 (Highest Level) – Storing extremely sensitive or classified data

Frequently asked questions
Looking for more info? Here are some things we're commonly asked

Yep, like every other website we also use
delicious cookies to track you.